April 9, 2014

The Internet is still in a panic a full day after security researchers went public with the Heart Bleed Bug, a flaw in OpenSSL that enables hackers to steal logins, passwords and even credit card information.

Essentially, that means a lot of Internet users are affected, the team of security engineers at Codenomicon and Neel Mehta of Google Security, who jointly discovered the bug, said.

“Your popular social site, your company’s site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL,” reads a Web page devoted to explaining the massive bug.

“Many of online services use TLS to both to identify themselves to you and to protect your privacy and transactions. You might have networked appliances with logins secured by this buggy implementation of the TLS. Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services.”

But what can you do to protect yourself?

Not much, according to the Vox’s Timothy B. Lee.

“Unfortunately, there’s nothing users can do to protect themselves if they visit a vulnerable website. The administrators of vulnerable websites will need to upgrade their software before users will be protected,” he wrote in a blog post.

According to news reports, Yahoo and dating website OKCupid have been affected, although Yahoo has reportedly patched the problem.

A Yahoo representative told the Vox its “team has successfully made the appropriate corrections across the main Yahoo properties (Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tumblr) and we are working to implement the fix across the rest of our sites right now.”

Lee said once “an affected website has fixed the problem on their end, users can protect themselves by changing their passwords. Attackers might have intercepted user passwords in the meantime … there’s probably no way for users to tell whether anyone intercepted their passwords.”

That means you should change your passwords for all sensitive sites you visit — Yahoo users especially should change their passwords. SplashData offers the following tips for choosing more secure passwords:

• Use passwords of eight characters or more with mixed types of characters. One way to create longer, more secure passwords that are easy to remember is to use short words with spaces or other characters separating them. For example, “eat cake at 8!” or “car_park_city?”

• Avoid using the same username/password combination for multiple websites. Especially risky is using the same password for entertainment sites as you do for online e-mail, social networking, and financial services. Use different passwords for each new website or service you sign up for.

• Having trouble remembering all those different passwords? Try using a password manager application that organizes and protects passwords and can automatically log you into websites. There are numerous applications available, but choose one with a strong track record of reliability and security like SplashID Safe, which has a 10-year history and more than one million users. SplashID Safe has versions available for Windows and Mac as well as Smartphones and tablet devices.

There is some good news at least: the researchers who discovered the Heart Bleed Bug informed developers behind OpenSSL a number of days before going public with the flaw, so much of the problem was fixed before word got out yesterday, according to Business Insider.

“Most major service providers should already be updating their sites, so the bug will be less prevalent over coming weeks,” the report said.

Hi Brian,
Just to clarify, we are not recommending anyone use SplashData’s products. We are simply pointing to some useful tips the company offers on choosing a strong password. Thanks for the feedback and for reading SitePro!

This heartbleed case has been storming around the web. Yet many have not known of what it is about.
Thanks, Jen, for the insightful and helpful post, especially for referring to filippo to easily do a heartbleed stuff check.